<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head th:replace="~{common/common::head}"></head>
<body>
<div class="layuimini-container">
    <div class="layuimini-main">
        <div class="layui-row layui-col-space15">
            <div class="layui-col-md12">
                <fieldset class="layui-elem-field layui-field-title">
                    <legend>
                        <a style="color: rgb(30 159 255)" class="xss-reflect">跨站脚本攻击 - 反射型XSS</a>
                    </legend>
                    <blockquote class="layui-elem-quote layui-quote-nm"
                                style="font-size: 15px;background-color: #a7deefab;box-shadow: 0 .125rem .25rem rgba(0, 0, 0, .075) !important">
                        <pre>  XSS(跨站脚本攻击)利用浏览器对服务器内容的信任，攻击者通过在网页中注入恶意脚本，使这些脚本在用户的浏览器上执行，从而实现攻击。常见的XSS攻击危害包括窃取用户会话信息、篡改网页内容、将用户重定向到恶意网站，以及执行恶意操作(如点击劫持和钓鱼攻击)
  反射型XSS：攻击者通过在URL参数中注入恶意脚本，使服务器将该脚本直接反射回用户浏览器并执行。该攻击一般不涉及数据库，而是通过服务器处理用户请求时立即返回恶意内容</pre>
                    </blockquote>
                </fieldset>
            </div>

            <div class="layui-col-md12" style="margin-top: 10px">
                <div class="layui-row layui-col-space15">
                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-anquan"> 安全代码：用户输入验证和过滤</span></h1>
                        <div class="layui-tab layui-tab-brief">
                            <ul class="layui-tab-title">
                                <li class="layui-this">前端白名单</li>
                                <li>后端白名单</li>
                            </ul>
                            <div class="layui-tab-content">
                                <div class="layui-tab-item layui-show">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" style="display: flex; justify-content: space-between;">
                                            <input type="text" name="content" style="width: 300px;" required
                                                   lay-verify="required" value="<script>alert(/xss/)</script>"
                                                   autocomplete="off"
                                                   class="layui-input" id="safe1-CheckUserInput-front-input">
                                            <div style="display: flex; align-items: center;">
                                                <select class="layui-form-select" lay-filter="safe1-CheckUserInput-front">
                                                    <option value="">示例Payload</option>
                                                    <option value="123&lt;u&gt;A&lt;/u&gt;123">123&lt;u&gt;A&lt;/u&gt;123</option>
                                                    <option value="123&lt;script&gt;alert(/xss/)&lt;/script&gt;123">
                                                        123&lt;script&gt;alert(/xss/)&lt;/script&gt;123
                                                    </option>
                                                    <option value="123&lt;img src onerror=alert(/xss/)&gt;123">
                                                        123&lt;img src onerror=alert(/xss/)&gt;123
                                                    </option>
                                                    <option value="123&lt;a href=javascript:alert(/xss/)&gt;Click Me&lt;/a&gt;123">
                                                        123&lt;a href=javascript:alert(/xss/)&gt;Click Me&lt;/a&gt;123
                                                    </option>
                                                </select>
                                                <button class="layui-btn layui-btn-normal" style="width: 100px; margin-left: 10px;" lay-filter="safe1-CheckUserInput-front" lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-tab-item">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" style="display: flex; justify-content: space-between;">
                                            <input type="text" name="content" style="width: 300px;" required
                                                   lay-verify="required" value="<script>alert(/xss/)</script>" autocomplete="off"
                                                   class="layui-input" id="safe1-CheckUserInput-back">
                                            <button class="layui-btn layui-btn-normal" style="width: 100px; margin-left: 10px;" lay-filter="safe1-CheckUserInput-back" lay-submit="">
                                                <span class="iconfont icon-zhihang">Run</span>
                                            </button>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-bullhorn icon-tip"></i>tips</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre style="color: #28333e;font-size: 15px;">
前端白名单：在前端代码中执行，用于过滤或验证用户输入的数据，UI友好，不安全，容易被绕过
后端白名单：后端业务逻辑处理或数据支持化层面执行，更安全，不易绕过
                                            </pre>
                                            <div class="layui-col-md12">
                                                <div class="layui-card">
                                                    <div class="layui-card-header"><i class="fa fa-warning icon-output-safe"></i>测试结果</div>
                                                    <div class="layui-card-body layui-text layadmin-text">
                                                        <pre id="safe1-CheckUserInput-result" style="color: red;font-size: 15px;"></pre>
                                                    </div>
                                                </div>
                                            </div>
                                        </div>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>

                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-code"> 安全代码</span></h1>
                        <div class="m-auto div-shadow shadow p-3 mb-5 bg-white rounded">
                            <div class="code-editor" id="safe1CheckUserInput"></div>
                        </div>
                    </div>
                </div>
            </div>

            <div class="layui-col-md12" style="margin-top: 10px">
                <div class="layui-row layui-col-space15">
                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-anquan"> 安全代码：内容安全策略-CSP防护</span></h1>
                        <div class="layui-tab layui-tab-brief">
                            <ul class="layui-tab-title">
                                <li class="layui-this">前端Meta配置</li>
                                <li>后端Header配置(推荐)</li>
                            </ul>
                            <div class="layui-tab-content">
                                <div class="layui-tab-item layui-show">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <p>在HTML页面的头部添加meta标签来配置 CSP</p>
                                        <a target="_blank" href="/xss/reflect/a-safe2-CSP-front">
                                            <button class="layui-btn layui-btn-normal" style="width: 100px; margin-left: 10px;">
                                                <span class="iconfont icon-zhihang">Run</span>
                                            </button>
                                        </a>
                                    </blockquote>
                                </div>

                                <div class="layui-tab-item">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <p>后端通过配置Content-Security-Policy响应头</p>
                                        <a target="_blank" href="/xss/reflect/safe2CSP?content=可结合响应包分析🤔️123<u>A</u>123<script>alert(/xss/)</script>123">
                                            <button class="layui-btn layui-btn-normal" style="width: 100px; margin-left: 10px;">
                                                <span class="iconfont icon-zhihang">Run</span>
                                            </button>
                                        </a>
                                    </blockquote>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-bullhorn icon-tip"></i>tips</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre style="color: #28333e;font-size: 15px;">  内容安全策略(CSP：Content Security Policy)是一种由浏览器实施的安全机制(可理解为额外的安全层)，旨在减少和防范跨站脚本攻击等安全威胁
  核心原理：网站通过发送一个CSP header头部(也可以在html直接设置)，告诉浏览器具体的策略(什么是授权的与什么是被禁止的)，从而防止恶意内容的加载和执行
  CSP 指令说明：
    default-src: 指定默认的加载内容的来源，如果未指定其他指令，则默认应用此指令
    script-src: 指定允许加载 JavaScript 的来源
    style-src: 指定允许加载样式表的来源
    img-src: 指定允许加载图片的来源
    connect-src: 指定允许向其发送请求的来源(例如 AJAX、WebSocket 连接等)</pre>
                                        </div>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>

                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-code"> 安全代码</span></h1>
                        <div class="m-auto div-shadow shadow p-3 mb-5 bg-white rounded">
                            <div class="code-editor" id="safe2CSP"></div>
                        </div>
                    </div>
                </div>
            </div>

            <div class="layui-col-md12" style="margin-top: 10px">
                <div class="layui-row layui-col-space15">
                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-anquan"> 安全代码：特殊字符实体转义</span></h1>
                        <div class="layui-tab layui-tab-brief">
                            <ul class="layui-tab-title">
                                <li class="layui-this">Manual自定义</li>
                                <li>Spring框架</li>
                            </ul>
                            <div class="layui-tab-content">
                                <div class="layui-tab-item layui-show">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" style="display: flex; justify-content: space-between;">
                                            <input type="text" name="content" style="width: 300px;" required
                                                   lay-verify="required" value="<script>alert(/xss/)</script>"
                                                   autocomplete="off"
                                                   class="layui-input" id="safe3-EntityEscape-input">
                                            <div style="display: flex; align-items: center;">
                                                <select class="layui-form-select" lay-filter="safe3-EntityEscape">
                                                    <option value="">示例Payload</option>
                                                    <option value="123&lt;u&gt;A&lt;/u&gt;123">123&lt;u&gt;A&lt;/u&gt;123</option>
                                                    <option value="123&lt;script&gt;alert(/xss/)&lt;/script&gt;123">
                                                        123&lt;script&gt;alert(/xss/)&lt;/script&gt;123
                                                    </option>
                                                    <option value="123&lt;img src onerror=alert(/xss/)&gt;123">
                                                        123&lt;img src onerror=alert(/xss/)&gt;123
                                                    </option>
                                                    <option value="123&lt;a href=javascript:alert(/xss/)&gt;Click Me&lt;/a&gt;123">
                                                        123&lt;a href=javascript:alert(/xss/)&gt;Click Me&lt;/a&gt;123
                                                    </option>
                                                </select>
                                                <button class="layui-btn layui-btn-normal" style="width: 100px; margin-left: 10px;" lay-filter="safe3-EntityEscape" lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-tab-item">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" style="display: flex; justify-content: space-between;">
                                            <input type="text" name="content" style="width: 300px;" required
                                                   lay-verify="required" value="<script>alert(/xss/)</script>" autocomplete="off"
                                                   class="layui-input" id="safe3-EntityEscape">
                                            <p>使用Spring框架内置安全工具类实体转义</p>
                                            <button class="layui-btn layui-btn-normal" style="width: 100px; margin-left: 10px;" lay-filter="safe3-EntityEscape" lay-submit="">
                                                <span class="iconfont icon-zhihang">Run</span>
                                            </button>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-bullhorn icon-tip"></i>tips</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre style="color: #28333e;font-size: 15px;">
实体编码（Entity Encoding）是一种将特殊字符转换为HTML实体的过程，以确保这些字符能够在HTML文档中正确显示而不会被解释为HTML标记。
常见的实体编码包括将 &lt; 转换为 &amp;lt; 将 &gt; 转换为 &amp;gt; 等。
PS：这里前端实体编码Demo放到了存储型XSS模块中
                                            </pre>
                                            <div class="layui-col-md12">
                                                <div class="layui-card">
                                                    <div class="layui-card-header"><i class="fa fa-warning icon-output-safe"></i>测试结果</div>
                                                    <div class="layui-card-body layui-text layadmin-text">
                                                        <pre id="safe3-EntityEscape-result" style="color: red;font-size: 15px;"></pre>
                                                    </div>
                                                </div>
                                            </div>
                                        </div>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>

                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-code"> 安全代码</span></h1>
                        <div class="m-auto div-shadow shadow p-3 mb-5 bg-white rounded">
                            <div class="code-editor" id="safe3EntityEscape"></div>
                        </div>
                    </div>
                </div>
            </div>

            <div class="layui-col-md12" style="margin-top: 10px">
                <div class="layui-row layui-col-space15">
                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-anquan"> 安全代码：HttpOnly配置</span></h1>
                        <div class="layui-tab layui-tab-brief">
                            <div class="layui-tab-content">
                                <div class="layui-tab-item layui-show">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" style="display: flex; justify-content: space-between;">
                                            <input type="text" name="content" style="width: 300px;" required
                                                   lay-verify="required" value="<script>alert(/xss/)</script>"
                                                   autocomplete="off"
                                                   class="layui-input" id="safe4-HttpOnly-input">
                                            <div style="display: flex; align-items: center;">
                                                <select class="layui-form-select" lay-filter="safe4-HttpOnly">
                                                    <option value="">示例Payload</option>
                                                    <option value="123&lt;u&gt;A&lt;/u&gt;123">123&lt;u&gt;A&lt;/u&gt;123</option>
                                                    <option value="123&lt;script&gt;alert(document.cookie)&lt;/script&gt;123">
                                                        123&lt;script&gt;alert(document.cookie)&lt;/script&gt;123
                                                    </option>
                                                    <option value="123&lt;img src onerror=alert(document.cookie)&gt;123">
                                                        123&lt;img src onerror=alert(document.cookie)&gt;123
                                                    </option>
                                                    <option value="123&lt;a href=javascript:alert(document.cookie)&gt;Click Me&lt;/a&gt;123">
                                                        123&lt;a href=javascript:alert(document.cookie)&gt;Click Me&lt;/a&gt;123
                                                    </option>
                                                </select>
                                                <button class="layui-btn layui-btn-normal" style="width: 100px; margin-left: 10px;" lay-filter="safe4-HttpOnly" lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-bullhorn icon-tip"></i>tips</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre style="color: #28333e;font-size: 15px;">  单个接口配置：并非所有的cookie都必须设置为HttpOnly，可能有一些cookie是需要客户端JavaScript访问的，例如用于前端操作或分析目的的cookie
  全局配置场景：在整个应用程序中所有的cookie都具有HttpOnly属性，可以考虑在全局配置中进行设置
使用HttpOnly并不是绝对安全的，以下三个场景还是会存在安全问题：
    1、当攻击者使用CSRF+XSS进行攻击时，可绕过绕过浏览器的安全限制
    2、中间人攻击
    3、恶意浏览器插件</pre>
                                            <div class="layui-col-md12">
                                                <div class="layui-card">
                                                    <div class="layui-card-header"><i class="fa fa-warning icon-output-safe"></i>测试结果</div>
                                                    <div class="layui-card-body layui-text layadmin-text">
                                                        <pre id="safe4-HttpOnly-result" style="color: red;font-size: 15px;"></pre>
                                                    </div>
                                                </div>
                                            </div>
                                        </div>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>

                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-code"> 安全代码</span></h1>
                        <div class="m-auto div-shadow shadow p-3 mb-5 bg-white rounded">
                            <div class="code-editor" id="safe4HttpOnly"></div>
                        </div>
                    </div>
                </div>
            </div>

        </div>
    </div>
</div>

<script th:replace="~{common/common::script}"></script>
<script type="text/javascript">
    layui.use(['layer', 'miniTab', 'common', 'form'], function () {
        var $ = layui.jquery,
            layer = layui.layer,
            miniTab = layui.miniTab,
            common = layui.common,
            form = layui.form;
        miniTab.listen();
        layer.msg("跨站脚本-反射型");

        // 提交前做个前端校验 校验成功才发送请求
        common.formListenFun("safe1-CheckUserInput-front", "frontEnd", "/xss/reflect/safe1CheckUserInput", "safe1-CheckUserInput-result", "get");
        common.formListenFun("safe1-CheckUserInput-back", "backEnd", "/xss/reflect/safe1CheckUserInput", "safe1-CheckUserInput-result", "get");
        common.selectListenFun("safe1-CheckUserInput-front", "safe1-CheckUserInput-front-input");

        common.formListenFun("safe3-EntityEscape", "manual", "/xss/reflect/safe3EntityEscape", "safe3-EntityEscape-result", "get");
        common.formListenFun("safe3-EntityEscape", "spring", "/xss/reflect/safe3EntityEscape", "safe3-EntityEscape-result", "get");
        common.selectListenFun("safe3-EntityEscape", "safe3-EntityEscape-input");

        common.formListenFun("safe4-HttpOnly", "", "/xss/reflect/safe4HttpOnly", "safe4-HttpOnly-result", "get");
        common.selectListenFun("safe4-HttpOnly", "safe4-HttpOnly-input");

        var cmConfigSafe = {
            lineNumbers: true,
            lineWrapping: false,
            indentUnit: 4,
            indentWithTabs: true,
            theme: 'juejinsafe',
            styleActiveLine: {nonEmpty: true},
            fontSize: "18px",
            mode: "text/x-java"
        };

        CodeMirror(document.getElementById("safe1CheckUserInput"), Object.assign({}, cmConfigSafe, {
            value: safe1CheckUserInput
        }));
        CodeMirror(document.getElementById("safe2CSP"), Object.assign({}, cmConfigSafe, {
            value: safe2CSP
        }));
        CodeMirror(document.getElementById("safe3EntityEscape"), Object.assign({}, cmConfigSafe, {
            value: safe3EntityEscape
        }));
        CodeMirror(document.getElementById("safe4HttpOnly"), Object.assign({}, cmConfigSafe, {
            value: safe4HttpOnly
        }));
        $('.xss-reflect').hover(function () {
            $(this).css('cursor', 'pointer');
            layer.tips('攻击流程图', this, {
                tips: [1, '#0051ff'],
                time: 2000
            });
        });

        $('.xss-reflect').on('click', function () {
            layer.open({
                type: 1,
                title: false,
                closeBtn: 1,
                area: ['837px', '649.8px'], // 宽高缩小为0.9倍
                shadeClose: true,
                content: '<div style="text-align: center;"><img src="/static/images/vul/xss/reflect.png" style="width: 100%; height: 50%;"></div>'
            });
        });
    });

</script>
</body>
</html>
